Content Security Policy for Rack

A long time ago I have implemented Content Security Policy as Rack middleware for my Ruby on Rails project. In short, CSP is a XSS mitigation mechanism. Server responds with HTTP header which defines trustworthy sources for different types of content (js, css, images) and browser restricts content from other sources. It's very powerful and you definitely should implement it along with other header-based security features (like X-Frame-Options, Origin, Strict-Transport-Security) especially as long as it won't take much time.

A couple of days ago I decided that it worths to publish middleware as a separate gem. I googled a bit and found csp_easy. However, it lacked few features (hash-based directives configuration, support to WebKit, Report-Only mode) and specs, so I decided not to fork and push my changes (I know it looks bad), but just to publish my own version.

Project is on Github. Read instructions and improve security of your Rack-based web application!


Polymorphous page objects

I'm a big fan of page object pattern used for developing Selenium tests and I like the whole approach it follows. However, there are some points which can be improved in this approach. Let's talk about them.

Imagine that we have profile page for authenticated user. It has navigation menu with a set of links: "Home", "Profile", "Messages". Typical page class will look like this:

class ProfilePage

  def click_home_link
    @browser.find_element(:id => 'home_link').click

  def click_profile_link
    @browser.find_element(:id => 'profile_link').click

  def click_messages_link
    @browser.find_element(:id => 'message_link').click

end # ProfilePage

Home and Messages pages are rather different page, but still have navigation menu. So they should have the same set of methods. We shouldn't duplicate code, so we need to extract these methods into a separate module.